SPO Tidbit - Getting to know conditional access and SharePoint

Hello All,

The cloud has forced us to rethink security as corporate boundaries have changed, no longer is it good enough to build just firewalls to protect your data you need to look at how to protect data that is not part of your network.

In O365 to help you reach this goal we have setup Conditional Access which is managed thru Intune, but if your access needs are not extensive you might be able to use SPO Conditional Access without Intune and that is what we will take a look at right now…

Location based: 

This policy can help prevent data leaks and can help meet regulations to prevent access from untrusted networks. You can limit access to specific network ranges from the SPO Admin console. Once configured, any user who attempts to access SharePoint and OneDrive for Business from outside the defined network boundary will be blocked.

Default policy is disabled and no restrictions will be enforced till you configure it.

If you have also configured AAD Premium to restrict location access by IP network range, the AADP whitelist is interpreted first, followed by the SharePoint policy. As result, a you may choose to apply a policy which is more restrictive than in AADP. However, you cannot enable access to an IP address range that is also prohibited by AADP.

 Users will see the following message

 

 

NOTE: You need to be careful that your network ranges include the IP address of your current machine. IP address ranges are strictly enforced, so entering a range that doesn’t include your machine will lock out the admin session.  If this happens you will have to work with support to resolve the issue.  As well this restriction will prevent the sync service from working when outside trusted network but will not prevent synched data from traveling outside the trusted networks, if data is that sensitive consider disabling the sync service in the SPO admin console.

Device based:

Device-based policies allow you to allow or block access or challenge users with Multi-Factor Authentication, device enrollment, or password change.  Policies for SharePoint Online and OneDrive for Business help you ensure data on corporate resources is not leaked onto unmanaged devices such as non-domain joined or non-compliant devices by limiting access to content to the browser, preventing files from being taken offline or synchronized with OneDrive for Business on unmanaged devices.

NOTE: default files that can’t be viewed online (such as zip files) can be downloaded.  If you want to prevent download of these files onto unmanaged devices you can opt-in to block download of files that can’t be viewed on the web.  This will result in a read-only experience for the end users and customizations maybe affected.  

Site-Scoped:

Conditional access is an investment to address the ever-changing security landscape and business needs by introducing new levels of granularity with Site-Scoped Device-based policies for SharePoint and OneDrive to help you ensure data on corporate resources is not leaked onto unmanaged devices such as non-domain joined or non-compliant devices by limiting access to content to the browser, preventing files from being taken offline or synchronized with OneDrive on unmanaged devices at either the Tenant or site collection level.

Can be configured via PowerShell using SPO Management Shell

Connect-SPOService -Url <URL to your SPO admin center>

$Site = Get-SPOSite -Identity <Url to SPO Site Collection>

Set-SPOSite -Identity $Site.Url -ConditionalAccessPolicy AllowLimitedAccess

              NOTE: The Tenant-level device-based policy must be configured to Full Access prior to configuring site-scoped policies.

Pax